When Compliance ≠ Security: Quantifying AI Governance Gaps

"AI governance is at a turning point. As more organizations rely on compliance frameworks like NIST AI RMF, the UK AI Risk Toolkit, and the EU’s ALTAI to guide “responsible AI,” a critical question remains: Do these standards actually protect us?

In this talk, I’ll present the first security-focused, quantitative audit of these three influential AI governance standards. Using a transparent, reproducible methodology and four custom-built risk metrics, we uncovered 136 security vulnerabilities—many of them high-risk, and most of them unresolved by the frameworks themselves.

Key takeaways:
• Why data governance must go beyond principles and checkboxes to address adversarial threats, model misuse, and third-party vulnerabilities
• How metrics like the Compliance-Security Gap Percentage (CSGP) and Root Cause Vulnerability Score (RCVS) can help practitioners and policymakers evaluate frameworks objectively
• What it means when up to 80% of high-risk issues in a framework remain unmitigated, even when “compliant”
• Recommendations to make AI governance more enforceable, secure, and aligned with real-world risk

If you’re working at the intersection of policy, engineering, ethics, or infrastructure, and want data-backed insight into how to strengthen governance, this talk is designed for you. Open code, full findings, and space for community contribution included."